CVE-2024-6281
published 2024-07-20CVE-2024-6281: A path traversal vulnerability exists in the `apply_settings` function of parisneo/lollms versions prior to 9.5.1. The `sanitize_path` function does not…
PriorityP339high7.3CVSS 3.0
AVLACLPRNUINSUCLILAH
EPSS
0.27%
17.8th percentile
A path traversal vulnerability exists in the `apply_settings` function of parisneo/lollms versions prior to 9.5.1. The `sanitize_path` function does not adequately secure the `discussion_db_name` parameter, allowing attackers to manipulate the path and potentially write to important system folders.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lollms | lollms | >= 0 < 9.5.1 | 9.5.1 |
| parisneo | parisneo_lollms | >= unspecified < 9.5.1 | 9.5.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
LoLLMS vulnerable to Expected Behavior Violation
ghsa·2024-07-20
CVE-2024-6281 [HIGH] CWE-22 LoLLMS vulnerable to Expected Behavior Violation
LoLLMS vulnerable to Expected Behavior Violation
A path traversal vulnerability exists in the `apply_settings` function of parisneo/lollms versions prior to 9.5.1. The `sanitize_path` function does not adequately secure the `discussion_db_name` parameter, allowing attackers to manipulate the path and potentially write to important system folders.
OSV
LoLLMS vulnerable to Expected Behavior Violation
osv·2024-07-20
CVE-2024-6281 [HIGH] LoLLMS vulnerable to Expected Behavior Violation
LoLLMS vulnerable to Expected Behavior Violation
A path traversal vulnerability exists in the `apply_settings` function of parisneo/lollms versions prior to 9.5.1. The `sanitize_path` function does not adequately secure the `discussion_db_name` parameter, allowing attackers to manipulate the path and potentially write to important system folders.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-07-20
Published